WiP: staging changes

Insights:
- We should use oem generated pubkey naming to distinguish between oem/user generated keys and try to use default PINs also for GPG User to sign with default PIN and warn even if it works/doesn't, urging users to do reownership
- Point is that oem factory reset does in the direction of using randomized PINs, while continuing to use those for a user should be strongly discouraged

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

initrd/.ash_history

@@ -4,7 +4,7 @@ mount /boot
 find /boot/kexec*.txt | gpg --verify /boot/kexec.sig -
 #remove invalid kexec_* signed files
 mount /dev/sda1 /boot && mount -o remount,rw /boot && rm /boot/kexec* && mount -o remount,ro /boot
-#Generate keys from GPG smartcard: 
+#Generate keys on OpenPGP smartcard: 
 mount-usb && gpg --home=/.gnupg/ --card-edit
 #Copy generated public key, private_subkey, trustdb and artifacts to external media for backup: 
 mount -o remount,rw /media && mkdir -p /media/gpg_keys; gpg --export-secret-keys --armor email@address.com > /media/gpg_keys/private.key && gpg --export --armor email@address.com  > /media/gpg_keys/public.key && gpg --export-ownertrust > /media/gpg_keys/otrust.txt && cp -r ./.gnupg/* /media/gpg_keys/ 2> /dev/null

initrd/bin/gpg-gui.sh

@@ -148,7 +148,7 @@ while true; do
     'e' ' Replace GPG key(s) in the current ROM and reflash' \
     'l' ' List GPG keys in your keyring' \
     'p' ' Export public GPG key to USB drive' \
-    'g' ' Generate GPG keys manually on a USB security token' \
+    'g' ' Generate GPG keys manually on a USB security dongle' \
     'x' ' Exit' \
     2>/tmp/whiptail || recovery "GUI menu failed"
 

initrd/bin/kexec-seal-key

@@ -97,16 +97,16 @@ done
 
 attempts=0
 while [ $attempts -lt 3 ]; do
-	read -s -p "New LUKS TPM Disk Unlock Key passphrase (DUK) for booting: " key_password
+	read -s -p "New LUKS TPM Disk Unlock Key (DUK) passphrase for booting: " key_password
 	echo
 	read -s -p "Repeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting: " key_password2
 	echo
 	if [ "$key_password" != "$key_password2" ]; then
 		attempts=$((attempts + 1))
 		if [ "$attempts" == "3" ]; then
-			die "Disk Unlock Key passphrases do not match. Exiting..."
+			die "Disk Unlock Key (DUK) passphrases do not match. Exiting..."
 		else
-			warn "Disk Unlock Key passphrases do not match. Please try again."
+			warn "Disk Unlock Key (DUK) passphrases do not match. Please try again."
 		fi
 	else
 		break
@@ -168,7 +168,7 @@ for dev in $key_devices; do
 		die "$dev: Unable to find a key slot that can be unlocked with provided passphrase. Exiting..."
 	fi
 
-	# If the key slot is not the expected DUK o FRK key slot, we will ask the user to confirm the wipe
+	# If the key slot is not the expected DUK or DRK key slot, we will ask the user to confirm the wipe
 	for keyslot in "${luks_used_keyslots[@]}"; do
 		if [ "$keyslot" != "$drk_key_slot" ]; then
 			#set wipe_desired to no by default

initrd/bin/oem-factory-reset

@@ -146,7 +146,7 @@ reset_nk3_secret_app() {
 	# Reset Nitrokey 3 Secrets app with $ADMIN_PIN (default 12345678, or customised)
 	if lsusb | grep -q "20a0:42b2"; then
 		echo
-		warn "Resetting Nitrokey 3 Secrets App with PIN. Physical presence (touch) will be required"
+		warn "Resetting Nitrokey 3's Secrets App with PIN. Physical presence (touch) will be required"
 		# TODO: change message when https://github.com/Nitrokey/nitrokey-hotp-verification/issues/41 is fixed
 		# Reset Nitrokey 3 secret app with PIN
 		# Do 3 attempts to reset Nitrokey 3 Secrets App if return code is 3 (no touch)
@@ -159,7 +159,7 @@ reset_nk3_secret_app() {
 				if [ $error_code -eq 3 ] && [ $attempt -lt 3 ]; then
 					whiptail --msgbox "Nitrokey 3 requires physical presence: touch the dongle when requested" $HEIGHT $WIDTH --title "Nk3 cecrets app reset attempt: $attempt/3"
 				else
-					whiptail_error_die "Nitrokey 3 secrets app reset failed with error:$error_code. Contact Nitrokey support"
+					whiptail_error_die "Nitrokey 3's secrets app reset failed with error:$error_code. Contact Nitrokey support"
 				fi
 			fi
 		done
@@ -547,10 +547,7 @@ gpg_key_factory_reset() {
 
 	#enable usb storage
 	enable_usb
-
-	#Reset Nitrokey 3 secret app
-	reset_nk3_secret_app
-
+	
 	# Factory reset GPG card
 	echo "GPG factory reset of USB Security dongle's OpenPGP smartcard..."
 	{
@@ -671,6 +668,7 @@ generate_OEM_gpg_keys() {
 
 gpg_key_change_pin() {
 	TRACE_FUNC
+
 	DEBUG "Changing GPG key PIN"
 	# 1 = user PIN, 3 = admin PIN
 	PIN_TYPE=$1
@@ -915,6 +913,8 @@ report_integrity_measurements() {
 usb_security_token_capabilities_check() {
 	TRACE_FUNC
 
+	echo -e "\nChecking for USB Security dongle...\n"
+
 	enable_usb
 	# ... first set board config preference
 	if [ -n "$CONFIG_GPG_ALGO" ]; then
@@ -926,6 +926,8 @@ usb_security_token_capabilities_check() {
 		GPG_ALGO="p256"
 		DEBUG "Nitrokey 3 detected: Setting GPG_ALGO to: $GPG_ALGO"
 	fi
+
+	#TODO: put everything related to USB Security dongle here
 }
 
 ## main script start
@@ -1281,8 +1283,12 @@ if [ "$GPG_GEN_KEY_IN_MEMORY" = "y" ]; then
 		keytocard_subkeys_to_smartcard
 	fi
 else
+	#enable usb storage
+	enable_usb
+	#Reset Nitrokey 3 secret app
+	reset_nk3_secret_app
 	#Generate GPG key and subkeys on smartcard only
-	echo -e "\nResetting USB Security dongle's GPG smartcard...\n(this will take around 3 minutes...)\n"
+	echo -e "\nResetting USB Security dongle's OpenPGP smartcard with GPG...\n(this will take around 3 minutes...)\n"
 	gpg_key_factory_reset
 	generate_OEM_gpg_keys
 fi
@@ -1301,7 +1307,7 @@ fi
 #Applying custom GPG PINs to the smartcard if they were provided
 if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then
 	#Only apply smartcard PIN change if smartcard only or if keytocard op is expected next
-	if [ "${USER_PIN}" != "" -o "${ADMIN_PIN}" != "" ]; then
+	if [ "${USER_PIN}" != "${USER_PIN_DEF}" -o "${ADMIN_PIN}" != "${ADMIN_PIN_DEF}" ]; then
 		echo -e "\nChanging default GPG Admin PIN\n"
 		gpg_key_change_pin "3" "${ADMIN_PIN_DEF}" "${ADMIN_PIN}"
 		echo -e "\nChanging default GPG User PIN\n"
@@ -1387,7 +1393,7 @@ fi
 
 ## sign files in /boot and generate checksums
 if [[ "$SKIP_BOOT" == "n" ]]; then
-	echo -e "\nSigning boot files and generating checksums...\n"
+	echo -e "\nUpdating checksums and signing all files in /boot...\n"
 	generate_checksums
 fi
 

initrd/bin/seal-hotpkey

@@ -126,7 +126,11 @@ if [ "$((now_date - gpg_key_create_time))" -gt "$month_secs" ]; then
 elif [ "$admin_pin_retries" -lt 3 ]; then
 	echo "Not trying default PIN ($admin_pin), only $admin_pin_retries attempt(s) left"
 else
-	echo "Trying $prompt_message PIN ($admin_pin) to seal HOTP secret on $HOTPKEY_BRANDING... You may be requested to touch the dongle..."
+	echo "Trying $prompt_message PIN ($admin_pin) to seal HOTP secret on $HOTPKEY_BRANDING..."
+	#if we deal with the nk3, say to the user that touch will be required
+	if lsusb | grep -q "20a0:42b2"; then
+		warn "Touching the Nitrokey 3 to confirm presence operation is required"
+	fi
 	#TODO: silence the output of hotp_initialize once https://github.com/Nitrokey/nitrokey-hotp-verification/issues/41 is fixed
 	#hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" >/dev/null 2>&1
 	hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
@@ -157,7 +161,7 @@ if [ "$admin_pin_status" -ne 0 ]; then
 	fi
 else
 	# remind user to change admin password
-	warn "Factory $prompt_message default PIN detected: please change this PIN as soon as possible through OEM Factory Reset/User Re-Ownership"
+	warn "Factory $prompt_message default PIN 12345678 detected: please change this PIN as soon as possible through OEM Factory Reset/User Re-Ownership"
 fi
 
 # HOTP key no longer needed

initrd/bin/tpmr

@@ -622,7 +622,7 @@ tpm2_unseal() {
 			LOG "tpm2 stderr: $line"
 		done <"$TMP_ERR_FILE"
 		rm -f "$TMP_ERR_FILE"
-		die "Unable to unseal secret from TPM NVRAM with tpm2 unseal"
+		die "Unable to unseal secret from TPM NVRAM"
 	fi
 	rm -f "$TMP_ERR_FILE"
 }